Objectives
- Know important reasons to encrypt information
- Understand how LUKS operates through cryptsetup
- Setup and use encrypted filesystems and partitions
- Know how to configure the system to mount encrypted partitions at boot time
Why Use Encryption
- Protect sensible information
LUKS
- Linux Unified Key Setup
- Installed on top of cryptsetup
- Can be used to encrypt swap partitions
Cryptsetup
- Once encrypted, volumes can be mounted or unmounted with normal utilities
Lab 10.1: Disk Encryption
In this exercise, you will encrypt a partition on the disk in order to provide a measure of security in the event that the hard drive or laptop is stolen. Reviewing the cryptsetup documentation first would be a good idea (man cryptsetup and cryptsetup --help).
1. Create a new partition for the encrypted block device with fdisk. Make sure the kernel is aware of the new partition table. A reboot will do this but there are other methods.
2. Format the partition with cryptsetup using LUKS for the crypto layer.
3. Create the un-encrypted pass through device by opening the crypted block device, i.e., secret-disk.
4. Add an entry to /etc/crypttab so that the system prompts for the passphrase on reboot.
5. Format the filesystem as an ext4 filesystem.
6. Create a mount point for the new filesystem, ie. /secret.
7. Add an entry to /etc/fstab so that the filesystem is mounted on boot.
8. Try and mount the encrypted filesystem.
9. Validate the entire configuration by rebooting.
1. Create a new partition
$ sudo fdisk /dev/sda
2. Ecrypt the partition, it will prompt for a passphrase
$ sudo cryptsetup luksFormat /dev/sda4
3. Open the LUKS container and give it a name (secret-disk)
$ sudo cryptsetup luksOpen /dev/sda4 secret-disk
4. Add the following to /etc/crypttab:
secret-disk /dev/sda4
5. Create a file system of type ext4 at /dev/mapper/
$ sudo mkfs -t ext4 /dev/mapper/secret-disk
6. Create the folder secret under /
$ sudo mkdir -p /secret
7. Add the following to /etc/fstab:
/dev/mapper/secret-disk /secret ext4 defaults 1 2
8. Mount just the one filesystem:
$ sudo mount /secretor mount all filesystems mentioned in /etc/fstab:
$ sudo mount -a9. Reboot.
Lab 10.2: Disk Encryption
1. Find out what partition you are currently using for swap and then deactivate it:
$ cat /proc/swaps
Filename Type Size Used Priority
/dev/sda11 partition 4193776 0 -1
$ sudo swapoff /dev/sda112. Do the same steps as in the previous exercise to set up encryption:
$ sudo cryptsetup luksFormat /dev/sda11 # may use --ciper aes option
$ sudo cryptsetup luksOpen /dev/sda11 swapcrypt3. Format the encrypted device to use with swap:
$ sudo mkswap /dev/mapper/swapcrypt4. Now test to see if it actually works by activating it:
$ sudo swapon /dev/mapper/swapcrypt
$ cat /proc/swaps5. To ensure the encrypted swap partion can be activated at boot you need to do two things:
(a) Add a line to /etc/crypttab so that the system prompts for the passphrase on reboot:
swapcrypt /dev/sda11 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256(Note /dev/urandom is preferred over /dev/random for reasons involving potential entropy shortages as discussed in the man page for crypttab.) You don’t need the detailed options that follow, but we give them as an example of what more you can do.
(b) Add an entry to the /etc/fstab file so that the swap device is activated on boot.
/dev/mapper/swapcrypt none swap defaults 0 06. You can validate the entire configuration by rebooting.
To restore your original unencrypted partition:
$ sudo swapoff /dev/mapper/swapcrypt $ sudo cyyptsetup luksClose swapcrypt $ sudo mkswap /dev/sda11 $ sudo swapon -a
If the swapon command fails it is likely because /etc/fstab no longer properly describes the swap partition. If this partition is described in there by actual device node (/dev/sda11) there won’t be a problem. You can fix either by changing the line in there to be:
/dev/sda11 swap swap defaults 0 0
or by giving a label when formatting and using it as in:
$ sudo mkswap -L SWAP /dev/sda11
and then putting in the file:
LABEL=SWAP swap swap defaults 0 0